6:53 a.m.
Hi there guys.
Recently we had an internal audit and it seems that our opelndap server is
not configured properly, it seems that null bind are allowed and Crafted
request as well are permited and it would be nice if anyone of you could
lend me a hand to fix this:
There are the access list:
olcAccess: {0}to attrs=userPassword by dn="cn=Manager,dc=domain,dc=com" wr
ite by anonymous auth by self write by * none
olcAccess: {1}to
attrs=cn,sn,memberUid,uidNumber,pwdHistory,pwdPolicySubentry,
gidNumber,homeDirectory,givenName,description,loginShell by self write by
ano
nymous read by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by dn="cn=Manager,dc=domain,dc=com" write by * read
And from a client I got the following:
ldapsearch -x -s base -b '' -H ldap://ldapserver "(objectClass=*)"
"*" +
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: * +
#
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
monitorContext: cn=Monitor
namingContexts: dc=domain,dc=com
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
entryDN:
subschemaSubentry: cn=Subschema
It seems it's no good at all, any help appreciated
Best regards
9:09 a.m.
Am Mon, 27 Oct 2014 10:53:07 -0300
schrieb Net Warrior <netwarrior863(a)gmail.com>:
Hi there guys.
Recently we had an internal audit and it seems that our opelndap
server is not configured properly, it seems that null bind are
allowed and Crafted request as well are permited and it would be nice
if anyone of you could lend me a hand to fix this:
There are the access list:
olcAccess: {0}to attrs=userPassword by
dn="cn=Manager,dc=domain,dc=com" wr ite by anonymous auth by self
write by * none
olcAccess: {1}to
attrs=cn,sn,memberUid,uidNumber,pwdHistory,pwdPolicySubentry,
gidNumber,homeDirectory,givenName,description,loginShell by self
write by ano
nymous read by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by dn="cn=Manager,dc=domain,dc=com" write by * read
And from a client I got the following:
ldapsearch -x -s base -b '' -H ldap://ldapserver "(objectClass=*)"
"*" + # extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: * +
#
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
monitorContext: cn=Monitor
namingContexts: dc=domain,dc=com
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
entryDN:
subschemaSubentry: cn=Subschema
It seems it's no good at all, any help appreciated
Best regards
A LDAP client should know the servers capabilities in order to connect
in conformance with the protocol. So there is nothing bad about this
search result.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
11:30 a.m.
Thanks for the answer, but, from the query I shown, you can see that the
DIT is displayed "namingContexts: dc=domain,dc=com" and knowking that, I
can make a ldapserch -x pointing tho the server and the base search for
example and list all the domain users, isn't it a security concern? I
tested it and it works, how can I create an access list to prevent this,
disable the simple auth or disable those anonymous queries ?
Thanks for your time and support.
Regards
2014-10-27 13:09 GMT-03:00 Dieter Klünter <dieter(a)dkluenter.de>:
Am Mon, 27 Oct 2014 10:53:07 -0300
schrieb Net Warrior <netwarrior863(a)gmail.com>:
> Hi there guys.
>
> Recently we had an internal audit and it seems that our opelndap
> server is not configured properly, it seems that null bind are
> allowed and Crafted request as well are permited and it would be nice
> if anyone of you could lend me a hand to fix this:
>
> There are the access list:
>
> olcAccess: {0}to attrs=userPassword by
> dn="cn=Manager,dc=domain,dc=com" wr ite by anonymous auth by self
> write by * none
>
> olcAccess: {1}to
> attrs=cn,sn,memberUid,uidNumber,pwdHistory,pwdPolicySubentry,
> gidNumber,homeDirectory,givenName,description,loginShell by self
> write by ano
> nymous read by * none
>
> olcAccess: {2}to dn.base="" by * read
>
> olcAccess: {3}to * by dn="cn=Manager,dc=domain,dc=com" write by * read
>
> And from a client I got the following:
>
> ldapsearch -x -s base -b '' -H ldap://ldapserver
"(objectClass=*)"
> "*" + # extended LDIF
> #
> # LDAPv3
> # base <> with scope baseObject
> # filter: (objectClass=*)
> # requesting: * +
>
> #
> dn:
> objectClass: top
> objectClass: OpenLDAProotDSE
> structuralObjectClass: OpenLDAProotDSE
> configContext: cn=config
> monitorContext: cn=Monitor
> namingContexts: dc=domain,dc=com
> supportedControl: 2.16.840.1.113730.3.4.18
> supportedControl: 2.16.840.1.113730.3.4.2
>
> supportedControl: 1.3.6.1.4.1.4203.1.10.1
> supportedControl: 1.2.840.113556.1.4.319
> supportedControl: 1.2.826.0.1.3344810.2.3
> supportedControl: 1.3.6.1.1.13.2
> supportedControl: 1.3.6.1.1.13.1
> supportedControl: 1.3.6.1.1.12
> supportedExtension: 1.3.6.1.4.1.1466.20037
> supportedExtension: 1.3.6.1.4.1.4203.1.11.1
> supportedExtension: 1.3.6.1.4.1.4203.1.11.3
> supportedExtension: 1.3.6.1.1.8
> supportedFeatures: 1.3.6.1.1.14
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
> supportedLDAPVersion: 3
> entryDN:
> subschemaSubentry: cn=Subschema
> It seems it's no good at all, any help appreciated
> Best regards
A LDAP client should know the servers capabilities in order to connect
in conformance with the protocol. So there is nothing bad about this
search result.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
11:40 a.m.
Net Warrior wrote:
Thanks for the answer, but, from the query I shown, you can see that
the
DIT is displayed "namingContexts: dc=domain,dc=com" and knowking that, I
can make a ldapserch -x pointing tho the server and the base search for
example and list all the domain users, isn't it a security concern? I
tested it and it works, how can I create an access list to prevent this,
disable the simple auth or disable those anonymous queries ?
Knowing namingContexts or not is not a matter of security.
Having decent ALCs in place to protect the entries beneath dc=domain,dc=com is.
Just locking down rootDSE does not help at all.
Ciao, Michael.
11:43 a.m.
Hi Michael
Based on the the ACL's I posted from my configuration, what else can you
recommend to include, tweak or modify?
Thank you very much!
Regards
2014-10-27 15:40 GMT-03:00 Michael Ströder <michael(a)stroeder.com>:
Net Warrior wrote:
> Thanks for the answer, but, from the query I shown, you can see that the
> DIT is displayed "namingContexts: dc=domain,dc=com" and knowking that, I
> can make a ldapserch -x pointing tho the server and the base search for
> example and list all the domain users, isn't it a security concern? I
> tested it and it works, how can I create an access list to prevent this,
> disable the simple auth or disable those anonymous queries ?
Knowing namingContexts or not is not a matter of security.
Having decent ALCs in place to protect the entries beneath
dc=domain,dc=com is.
Just locking down rootDSE does not help at all.
Ciao, Michael.
12:04 p.m.
Net Warrior wrote:
Based on the the ACL's I posted from my configuration, what else
can you
recommend to include, tweak or modify?
I did not have a closer look at your ACLs.
ACL design depends very much on *your* requirements and system landscape.
For example I've designed the system which does not allow any anonymous access
and authorizes on a paranoid need-to-know principle.
The problem is: If you allowed anonymous access in the past it's usually hard
to turn on authentication and authorization for all your existing applications.
All in all it's your homework.
Ciao, Michael.
2:29 p.m.
Am Mon, 27 Oct 2014 15:30:49 -0300
schrieb Net Warrior <netwarrior863(a)gmail.com>:
Thanks for the answer, but, from the query I shown, you can see that
the DIT is displayed "namingContexts: dc=domain,dc=com" and knowking
that, I can make a ldapserch -x pointing tho the server and the base
search for example and list all the domain users, isn't it a
security concern? I tested it and it works, how can I create an
access list to prevent this, disable the simple auth or disable those
anonymous queries ?
Thanks for your time and support.
If you allow an anonymous read access on a subtree, that in fact might
be serious security issue, depending on the data.
You, or your management, should define a policy, WHO is allowed to do
WHAT on the directories data. Based on this written and agreed policy,
access rules may be defined. This rules might be simple or paranoid,
but that is the art of directory management.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
5:55 a.m.
On Mon, Oct 27, 2014 at 03:43:03PM -0300, Net Warrior wrote:
Based on the the ACL's I posted from my configuration, what else
can you
recommend to include, tweak or modify?
As both Michael and Dieter have said, this is very dependent on your
site's requirements and policy. You need to work out what those are.
If you can answer these questions, we might be able to help you some more:
1) Should an anonymous user be able to get any data at all?
(Ignore the root entry: we are talking about the subtree
under dc=domain,dc=com here)
2) What classes of user should have access to the data?
Examples might be:
LDAP administrator
Web applications
Desktop addressbook users
Webmail users
Directory synchronisation processes
3) For each of the above, what data (entries and attributes)
do they need?
4) How will the users authenticate to the LDAP service?
i.e. Will the user DNs and passwords be configured into
the applications, or is the human user expected to supply
a username and password each time?
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
7:03 a.m.
Hi, really appreciate your help.
1 - Well, users only authenticate their passwords, nothing else, on the
client side to login to the server, so I guess anon logins should not be
allowed.
2 - I use the Manager account to login to the phplpdapadmin console or
apache directory studio.
3 - Password and groups and ppolicy
4 - Using pam on the client side, a human is expected to provide username
and password which is working along with the ppolicy, expiration time ,
password lenght and so on. I can provide how's configured if you want.
Thanks for your time and support
Regards
2014-10-28 9:55 GMT-03:00 Andrew Findlay <andrew.findlay(a)skills-1st.co.uk>:
On Mon, Oct 27, 2014 at 03:43:03PM -0300, Net Warrior wrote:
> Based on the the ACL's I posted from my configuration, what else can you
> recommend to include, tweak or modify?
As both Michael and Dieter have said, this is very dependent on your
site's requirements and policy. You need to work out what those are.
If you can answer these questions, we might be able to help you some more:
1) Should an anonymous user be able to get any data at all?
(Ignore the root entry: we are talking about the subtree
under dc=domain,dc=com here)
2) What classes of user should have access to the data?
Examples might be:
LDAP administrator
Web applications
Desktop addressbook users
Webmail users
Directory synchronisation processes
3) For each of the above, what data (entries and attributes)
do they need?
4) How will the users authenticate to the LDAP service?
i.e. Will the user DNs and passwords be configured into
the applications, or is the human user expected to supply
a username and password each time?
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
7:41 a.m.
On Tue, Oct 28, 2014 at 11:03:44AM -0300, Net Warrior wrote:
1 - Well, users only authenticate their passwords, nothing else, on
the client
side to login to the server, so I guess anon logins should not be allowed.
So is the LDAP service just used to provide passwd and group databases
for Unix-like systems, and not for any other purpose?
2 - I use the Manager account to login to the phplpdapadmin console
or apache
directory studio.
If my guess above is right then you have missed a very important class
of LDAP user. Every Unix-like server must access LDAP data.
Do your Unix/Linux systems bind to LDAP with specific DNs?
(This will be configured in files such as /etc/ldap.conf /etc/nslcd.conf
/etc/sssd.conf etc...)
3 - Password and groups and ppolicy
4 - Using pam on the client side, a human is expected to provide username and
password which is working along with the ppolicy, expiration time , password
lenght and so on. I can provide how's configured if you want.
Right, so the account(s) used by the Unix-like systems must be able to search
based on username, groupname, numeric UID and numeric GID. Those accounts must
also be able to retrieve most attributes from the LDAP entries (though not
the password value).
I assume you allow users to change their own passwords. How is this handled?
Are users allowed to update any other details, or do all changes come to you?
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
9:53 a.m.
Hi Andrew.
So is the LDAP service just used to provide passwd and group
databases
for Unix-like systems, and not for any other purpose?
Yes, only password auth
If my guess above is right then you have missed a very important
class
of LDAP user. Every Unix-like server must access LDAP data.
Do your Unix/Linux systems bind to LDAP with specific DNs?
(This will be configured in files such as /etc/ldap.conf /etc/nslcd.conf
/etc/sssd.conf etc...)
Yes,
ldap.conf client config file.
base dc=server,dc=com
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=Manager,dc=example,dc=com
bind_policy soft
idle_timelimit 3600
pam_filter objectClass=posixAccount
pam_lookup_policy yes
pam_check_host_attr yes
pam_password exop
nss_base_passwd ou=Users,dc=server,dc=com?one
nss_base_shadow ou=Users,dc=server,dc=com?one
nss_base_group ou=Groups,dc=server,dc=com?one
ssl start_tls
#ssl on
tls_cacertfile /etc/openldap/certs/cert.pem
tls_cacertdir /etc/openldap/certs
I assume you allow users to change their own passwords. How is this
handled?
Are users allowed to update any other details, or do all changes come
to
you?
yes, they can change their password based on the ppolicy and the pam
module, other properties are changed
by me, like phone number, photo, address and so on.
auth required pam_env.so
auth required pam_tally2.so deny=5 unlock_time=1800
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 minlen=7
dcredit=-2 ocredit=-2 difok=2 maxrepeat=2
password sufficient pam_unix.so sha256 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
Password policy
dn: cn=default,ou=Policies,dc=server,dc=com
cn: default
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdMinAge: 604800
pwdMaxAge: 5184000
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 432000
pwdFailureCountInterval: 30
pwdLockout: TRUE
pwdSafeModify: FALSE
sn: Password Policies
structuralObjectClass: person
entryUUID: 3cd52690-0ba9-1032-96ec-87e546c35b73
creatorsName: cn=Manager,dc=server,dc=com
createTimestamp: 20130215105020Z
pwdGraceAuthNLimit: 0
pwdMinLength: 8
pwdLockoutDuration: 54000
pwdInHistory: 3
pwdMaxFailure: 5
Default access lists
creatorsName: cn=config
createTimestamp: 20130215092101Z
olcAccess: {0}to attrs=userPassword by dn="cn=Manager,dc=server,dc=com" wr
ite by anonymous auth by self write by * none
olcAccess: {1}to
attrs=cn,sn,memberUid,uidNumber,pwdHistory,pwdPolicySubentry,
gidNumber,homeDirectory,givenName,description,loginShell by self write by
ano
nymous read by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by dn="cn=Manager,dc,server,dc=com" write by * read
Thanks for your time and support
Regards
2014-10-28 11:41 GMT-03:00 Andrew Findlay <andrew.findlay(a)skills-1st.co.uk>:
On Tue, Oct 28, 2014 at 11:03:44AM -0300, Net Warrior wrote:
> 1 - Well, users only authenticate their passwords, nothing else, on the
client
> side to login to the server, so I guess anon logins should not be
allowed.
So is the LDAP service just used to provide passwd and group databases
for Unix-like systems, and not for any other purpose?
> 2 - I use the Manager account to login to the phplpdapadmin console or
apache
> directory studio.
If my guess above is right then you have missed a very important class
of LDAP user. Every Unix-like server must access LDAP data.
Do your Unix/Linux systems bind to LDAP with specific DNs?
(This will be configured in files such as /etc/ldap.conf /etc/nslcd.conf
/etc/sssd.conf etc...)
> 3 - Password and groups and ppolicy
> 4 - Using pam on the client side, a human is expected to provide
username and
> password which is working along with the ppolicy, expiration time ,
password
> lenght and so on. I can provide how's configured if you want.
Right, so the account(s) used by the Unix-like systems must be able to
search
based on username, groupname, numeric UID and numeric GID. Those accounts
must
also be able to retrieve most attributes from the LDAP entries (though not
the password value).
I assume you allow users to change their own passwords. How is this
handled?
Are users allowed to update any other details, or do all changes come to
you?
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
11:43 a.m.
On Tue, Oct 28, 2014 at 01:53:22PM -0300, Net Warrior wrote:
>So is the LDAP service just used to provide passwd and group
databases
>for Unix-like systems, and not for any other purpose?
Yes, only password auth
OK. How many systems (approximately) use this? How many users are registered,
and how many groups?
>If my guess above is right then you have missed a very important
class
>of LDAP user. Every Unix-like server must access LDAP data.
>Do your Unix/Linux systems bind to LDAP with specific DNs?
>(This will be configured in files such as /etc/ldap.conf /etc/nslcd.conf
>/etc/sssd.conf etc...)
Yes,
ldap.conf client config file.
base dc=server,dc=com
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=Manager,dc=example,dc=com
I hope you don't really bind with the ROOTDN account!
That would expose the most important password in your system to anyone
who managed to compromise a single server.
I would suggest creating either a single account for all client machines
of a given type, or one account per client machine. That way if one
client gets compromised you just have to change one password and don't have
to rush around fixing every other client config. Please tell us what you decide
to do here, as it affects how the ACLs might be written.
bind_policy soft
idle_timelimit 3600
pam_filter objectClass=posixAccount
pam_lookup_policy yes
pam_check_host_attr yes
pam_password exop
nss_base_passwd ou=Users,dc=server,dc=com?one
nss_base_shadow ou=Users,dc=server,dc=com?one
nss_base_group ou=Groups,dc=server,dc=com?one
ssl start_tls
#ssl on
tls_cacertfile /etc/openldap/certs/cert.pem
tls_cacertdir /etc/openldap/certs
You should also add:
tls_reqcert demand
and you may want to consider restricting the connection to high-grade ciphers e.g.:
tls_ciphers HIGH:MEDIUM:@STRENGTH
>I assume you allow users to change their own passwords. How is
this handled?
>Are users allowed to update any other details, or do all changes come to you?
yes, they can change their password based on the ppolicy and the pam module,
other properties are changed
by me, like phone number, photo, address and so on.
OK, and the config lines above include 'pam_password exop' so it should use
the modern mechanism.
I am signing off for the day, but you might like to read this paper
bearing in mind what we have discussed:
http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
I think we are heading for a very simple 'User read-only' policy, but there
may be other issues to consider depending on the size of your user-base.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
4:19 a.m.
Hi Andrew.
I really appreciate your help!!
OK. How many systems (approximately) use this? How many users are
registered,
and how many groups?
200 Servers and 20 users
I hope you don't really bind with the ROOTDN account!
NO!
and I have a user to test the configuration but I do not use it to
bind purposes, but I could if I knew how to configure it.
You should also add:
tls_reqcert demand
and you may want to consider restricting the connection to high-grade
ciphers e.g.:
tls_ciphers HIGH:MEDIUM:@STRENGTH
Both, client and server side right?
Thanks for your time and support
Best regards.
2014-10-28 15:43 GMT-03:00 Andrew Findlay <andrew.findlay(a)skills-1st.co.uk>:
On Tue, Oct 28, 2014 at 01:53:22PM -0300, Net Warrior wrote:
> >So is the LDAP service just used to provide passwd and group databases
> >for Unix-like systems, and not for any other purpose?
>
> Yes, only password auth
OK. How many systems (approximately) use this? How many users are
registered,
and how many groups?
> >If my guess above is right then you have missed a very important class
> >of LDAP user. Every Unix-like server must access LDAP data.
> >Do your Unix/Linux systems bind to LDAP with specific DNs?
> >(This will be configured in files such as /etc/ldap.conf /etc/nslcd.conf
> >/etc/sssd.conf etc...)
>
> Yes,
> ldap.conf client config file.
> base dc=server,dc=com
>
> # The distinguished name to bind to the server with.
> # Optional: default is to bind anonymously.
> #binddn cn=Manager,dc=example,dc=com
I hope you don't really bind with the ROOTDN account!
That would expose the most important password in your system to anyone
who managed to compromise a single server.
I would suggest creating either a single account for all client machines
of a given type, or one account per client machine. That way if one
client gets compromised you just have to change one password and don't have
to rush around fixing every other client config. Please tell us what you
decide
to do here, as it affects how the ACLs might be written.
> bind_policy soft
> idle_timelimit 3600
> pam_filter objectClass=posixAccount
> pam_lookup_policy yes
> pam_check_host_attr yes
> pam_password exop
> nss_base_passwd ou=Users,dc=server,dc=com?one
> nss_base_shadow ou=Users,dc=server,dc=com?one
> nss_base_group ou=Groups,dc=server,dc=com?one
>
> ssl start_tls
> #ssl on
> tls_cacertfile /etc/openldap/certs/cert.pem
> tls_cacertdir /etc/openldap/certs
You should also add:
tls_reqcert demand
and you may want to consider restricting the connection to high-grade
ciphers e.g.:
tls_ciphers HIGH:MEDIUM:@STRENGTH
> >I assume you allow users to change their own passwords. How is this
handled?
> >Are users allowed to update any other details, or do all changes come
to you?
>
> yes, they can change their password based on the ppolicy and the pam
module,
> other properties are changed
> by me, like phone number, photo, address and so on.
OK, and the config lines above include 'pam_password exop' so it should use
the modern mechanism.
I am signing off for the day, but you might like to read this paper
bearing in mind what we have discussed:
http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
I think we are heading for a very simple 'User read-only' policy, but there
may be other issues to consider depending on the size of your user-base.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
9:43 a.m.
On Wed, Oct 29, 2014 at 08:19:03AM -0300, Net Warrior wrote:
200 Servers and 20 users
OK - that means that you will not have problems with the default
limits on result-set size (500 entries).
>I hope you don't really bind with the ROOTDN account!
NO! and I have a user to test the configuration but I do not use it to bind
purposes, but I could if I knew how to configure it.
As you have quite a lot of servers and a policy of hiding all data
from anonymous users, I would suggest having more than one LDAP-client
account. Either create one per client server, or one per group of similar
servers.
I would suggest putting the client accounts in a dedicated part of the
LDAP tree, so it might look like this:
ou=Users,dc=server,dc=com POSIX user accounts
ou=Groups,dc=server,dc=com POSIX groups
ou=Clients,dc=server,dc=com Client machine accounts
You need to get all your client machines to bind with their account DN
and password before you start changing ACLs. Config file entries will look
something like this:
binddn cn=server1,ou=Clients,dc=server,dc=com
bindpw SomeLongAndSecurePassword
>You should also add:
>tls_reqcert demand
>and you may want to consider restricting the connection to high-grade ciphers
e.g.:
>tls_ciphers HIGH:MEDIUM:@STRENGTH
Both, client and server side right?
Yes, but the keyword for slapd.conf is TLSCipherSuite
and for ldap.conf it is TLS_CIPHER_SUITE
Once you have *all* the clients using TLS and binding with their client
account and password, you can start on ACLs. If your logging includes
the 'stats' category (256) you will be able to see TLS setup and bind
in the logs, e.g.:
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 fd=26 ACCEPT from IP=[::1]:43386
(IP=[::]:389)
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=0 STARTTLS
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=0 RESULT oid= err=0 text=
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 fd=26 TLS established tls_ssf=128
ssf=128
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=1 BIND
dn="cn=client234,ou=Clients,dc=server,dc=com" method=128
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=1 BIND
dn="cn=client234,ou=Clients,dc=server,dc=com" mech=SIMPLE ssf=0
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=1 RESULT tag=97 err=0 text=
After all that, the ACLs turn out to be really simple! Something like this
will probably be close to what you need for the main database:
access to attrs="userPassword"
by self =w
by * auth
access to * by users read
access to * by * none
If you have a replica server then you will need to add an ACL giving read access
to all attributes. This should go right at the top of the list, and will look something
like this:
access to * by dn.exact="cn=replicator,ou=Clients,dc=server,dc=com" read
If you are using the Monitor database then you should probably protect it like this:
access to dn.subtree="cn=Monitor"
by users read
by * none
And to make sure that critical stuff like the root DSE and the schema can be
read by everyone, add this to the global section of the config:
access to * by * read
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
10:51 a.m.
Ok, thank you very much, I'm gonna review the configuration and follow your
advice.
Best regards.
2014-10-29 13:43 GMT-03:00 Andrew Findlay <andrew.findlay(a)skills-1st.co.uk>:
On Wed, Oct 29, 2014 at 08:19:03AM -0300, Net Warrior wrote:
> 200 Servers and 20 users
OK - that means that you will not have problems with the default
limits on result-set size (500 entries).
> >I hope you don't really bind with the ROOTDN account!
> NO! and I have a user to test the configuration but I do not use it to
bind
> purposes, but I could if I knew how to configure it.
As you have quite a lot of servers and a policy of hiding all data
from anonymous users, I would suggest having more than one LDAP-client
account. Either create one per client server, or one per group of similar
servers.
I would suggest putting the client accounts in a dedicated part of the
LDAP tree, so it might look like this:
ou=Users,dc=server,dc=com POSIX user accounts
ou=Groups,dc=server,dc=com POSIX groups
ou=Clients,dc=server,dc=com Client machine accounts
You need to get all your client machines to bind with their account DN
and password before you start changing ACLs. Config file entries will look
something like this:
binddn cn=server1,ou=Clients,dc=server,dc=com
bindpw SomeLongAndSecurePassword
> >You should also add:
> >tls_reqcert demand
> >and you may want to consider restricting the connection to high-grade
ciphers
> e.g.:
> >tls_ciphers HIGH:MEDIUM:@STRENGTH
>
> Both, client and server side right?
Yes, but the keyword for slapd.conf is TLSCipherSuite
and for ldap.conf it is TLS_CIPHER_SUITE
Once you have *all* the clients using TLS and binding with their client
account and password, you can start on ACLs. If your logging includes
the 'stats' category (256) you will be able to see TLS setup and bind
in the logs, e.g.:
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 fd=26 ACCEPT from
IP=[::1]:43386 (IP=[::]:389)
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=0 STARTTLS
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=0 RESULT oid= err=0
text=
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 fd=26 TLS established
tls_ssf=128 ssf=128
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=1 BIND
dn="cn=client234,ou=Clients,dc=server,dc=com" method=128
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=1 BIND
dn="cn=client234,ou=Clients,dc=server,dc=com" mech=SIMPLE ssf=0
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=1 RESULT tag=97 err=0
text=
After all that, the ACLs turn out to be really simple! Something like this
will probably be close to what you need for the main database:
access to attrs="userPassword"
by self =w
by * auth
access to * by users read
access to * by * none
If you have a replica server then you will need to add an ACL giving read
access
to all attributes. This should go right at the top of the list, and will
look something
like this:
access to * by dn.exact="cn=replicator,ou=Clients,dc=server,dc=com" read
If you are using the Monitor database then you should probably protect it
like this:
access to dn.subtree="cn=Monitor"
by users read
by * none
And to make sure that critical stuff like the root DSE and the schema can
be
read by everyone, add this to the global section of the config:
access to * by * read
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
4:11 a.m.
Hi Andrew, I've got some updates.
1 ) Added tls_reqcert demand to the client side
2 ) Configured a user to bind instead of anonymous
binddn cn=ldapuser,Ou=Users,dc=server,dc=com
bindpwd :$6$oZ8qYohy$lU0sYJXInOO1ISO4WKgzeuDyyFh9a
3 ) Added olcTLSVerifyClient:demand to server side:
Now as I can see this is good, the TLS is established with a strong
security factor of 256.
Oct 30 07:57:07 ldapserver slapd[12581]: conn=8575 fd=252 ACCEPT from
IP=X.X.X.X:58387 (IP=0.0.0.0:389)
Oct 30 07:57:07 ldapserver slapd[12581]: conn=8575 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Oct 30 07:57:07 ldapserver slapd[12581]: conn=8575 op=0 STARTTLS
Oct 30 07:57:07 ldapserver slapd[12581]: conn=8575 op=0 RESULT oid= err=0
text=
Oct 30 07:57:07 ldapserver slapd[12581]: conn=8575 fd=252 TLS established
tls_ssf=256 ssf=256
The user configured to bind from the client side
Oct 30 07:57:07 ldapserver slapd[12581]: conn=8575 op=1 BIND
dn="cn=ldapuser,ou=Users,dc=server,dc=com" method=128
Oct 30 07:57:07 ldapserver slapd[12581]: conn=8575 op=1 BIND
dn="cn=ldapuser,ou=Users,dc=server,dc=com" mech=SIMPLE ssf=0
My user id used to login to the server:
Oct 30 07:57:07 ldapserver slapd[12581]: conn=8575 op=3 BIND dn="cn=My
Username,ou=Users,dc=serverdc=com" method=128
Object added to server:
dn: olcDatabase={2}bdb,cn=config
changetype:modify
add: olcTLSVerifyClient:demand
Still I did not corrected my ACL but I do not see olcTLSVerifyClient:demand
reflected on my configuration
with slapcat -n0 I only see the this:
olcTLSCACertificateFile: /etc/openldap/certs/cert.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/private.key
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
Did I do something wrong?
Thanks for your time and support
Regards
2014-10-29 14:51 GMT-03:00 Net Warrior <netwarrior863(a)gmail.com>:
Ok, thank you very much, I'm gonna review the configuration and
follow
your advice.
Best regards.
2014-10-29 13:43 GMT-03:00 Andrew Findlay <andrew.findlay(a)skills-1st.co.uk
>:
On Wed, Oct 29, 2014 at 08:19:03AM -0300, Net Warrior wrote:
>
> > 200 Servers and 20 users
>
> OK - that means that you will not have problems with the default
> limits on result-set size (500 entries).
>
> > >I hope you don't really bind with the ROOTDN account!
> > NO! and I have a user to test the configuration but I do not use it
> to bind
> > purposes, but I could if I knew how to configure it.
>
> As you have quite a lot of servers and a policy of hiding all data
> from anonymous users, I would suggest having more than one LDAP-client
> account. Either create one per client server, or one per group of similar
> servers.
>
> I would suggest putting the client accounts in a dedicated part of the
> LDAP tree, so it might look like this:
>
> ou=Users,dc=server,dc=com POSIX user accounts
> ou=Groups,dc=server,dc=com POSIX groups
> ou=Clients,dc=server,dc=com Client machine accounts
>
> You need to get all your client machines to bind with their account DN
> and password before you start changing ACLs. Config file entries will look
> something like this:
>
> binddn cn=server1,ou=Clients,dc=server,dc=com
> bindpw SomeLongAndSecurePassword
>
> > >You should also add:
> > >tls_reqcert demand
> > >and you may want to consider restricting the connection to high-grade
> ciphers
> > e.g.:
> > >tls_ciphers HIGH:MEDIUM:@STRENGTH
> >
> > Both, client and server side right?
>
> Yes, but the keyword for slapd.conf is TLSCipherSuite
> and for ldap.conf it is TLS_CIPHER_SUITE
>
> Once you have *all* the clients using TLS and binding with their client
> account and password, you can start on ACLs. If your logging includes
> the 'stats' category (256) you will be able to see TLS setup and bind
> in the logs, e.g.:
>
> Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 fd=26 ACCEPT from
> IP=[::1]:43386 (IP=[::]:389)
> Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=0 EXT
> oid=1.3.6.1.4.1.1466.20037
> Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=0 STARTTLS
> Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=0 RESULT oid= err=0
> text=
> Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 fd=26 TLS established
> tls_ssf=128 ssf=128
> Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=1 BIND
> dn="cn=client234,ou=Clients,dc=server,dc=com" method=128
> Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=1 BIND
> dn="cn=client234,ou=Clients,dc=server,dc=com" mech=SIMPLE ssf=0
> Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=1 RESULT tag=97
> err=0 text=
>
> After all that, the ACLs turn out to be really simple! Something like this
> will probably be close to what you need for the main database:
>
> access to attrs="userPassword"
> by self =w
> by * auth
>
> access to * by users read
>
> access to * by * none
>
> If you have a replica server then you will need to add an ACL giving read
> access
> to all attributes. This should go right at the top of the list, and will
> look something
> like this:
>
> access to * by dn.exact="cn=replicator,ou=Clients,dc=server,dc=com" read
>
> If you are using the Monitor database then you should probably protect it
> like this:
>
> access to dn.subtree="cn=Monitor"
> by users read
> by * none
>
> And to make sure that critical stuff like the root DSE and the schema can
> be
> read by everyone, add this to the global section of the config:
>
> access to * by * read
>
>
> Andrew
> --
> -----------------------------------------------------------------------
> | From Andrew Findlay, Skills 1st Ltd |
> | Consultant in large-scale systems, networks, and directory services |
> | http://www.skills-1st.co.uk/ +44 1628 782565 |
> -----------------------------------------------------------------------
>
5:23 a.m.
On Thu, Oct 30, 2014 at 08:11:31AM -0300, Net Warrior wrote:
1 ) Added tls_reqcert demand to the client side
2 ) Configured a user to bind instead of anonymous
binddn cn=ldapuser,Ou=Users,dc=server,dc=com
bindpwd :$6$oZ8qYohy$lU0sYJXInOO1ISO4WKgzeuDyyFh9a
Good.
3 ) Added olcTLSVerifyClient:demand to server side:
I suspect that you do not want that. It would force every client to
have a client-side X.509 certificate. Good for secure authentication,
but more effort to manage than most people are prepared to handle.
Object added to server:
dn: olcDatabase={2}bdb,cn=config
changetype:modify
add: olcTLSVerifyClient:demand
Still I did not corrected my ACL but I do not see olcTLSVerifyClient:demand
reflected on my configuration
That is because you tried to add it to a database but it is a global option.
Are you really using the BDB database? It has been deprecated for some time now.
I would suggest using MDB.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
5:54 a.m.
Hi Andrew
I suspect that you do not want that. It would force every client to
have a client-side X.509 certificate. Good for secure authentication,
but more effort to manage than most people are prepared to handle.
Is it because of the certificte expiration or something like that tha's
hard to mantain?
That is because you tried to add it to a database but it is a global
option.
I added to the global section cn=config and do not see it.
Are you really using the BDB database? It has been deprecated for some
time now.
I would suggest using MDB
Yes my bad, after I went to production, I was told that backend was
deprecated, is there any doc related to migrate from one backend to
another or should I reconfigure the whole database from scratch ?
Thanks for your time and support, really appreciated.
Regards.
2014-10-30 9:23 GMT-03:00 Andrew Findlay <andrew.findlay(a)skills-1st.co.uk>:
On Thu, Oct 30, 2014 at 08:11:31AM -0300, Net Warrior wrote:
> 1 ) Added tls_reqcert demand to the client side
> 2 ) Configured a user to bind instead of anonymous
> binddn cn=ldapuser,Ou=Users,dc=server,dc=com
> bindpwd :$6$oZ8qYohy$lU0sYJXInOO1ISO4WKgzeuDyyFh9a
Good.
> 3 ) Added olcTLSVerifyClient:demand to server side:
I suspect that you do not want that. It would force every client to
have a client-side X.509 certificate. Good for secure authentication,
but more effort to manage than most people are prepared to handle.
> Object added to server:
>
> dn: olcDatabase={2}bdb,cn=config
> changetype:modify
> add: olcTLSVerifyClient:demand
>
> Still I did not corrected my ACL but I do not see
olcTLSVerifyClient:demand
> reflected on my configuration
That is because you tried to add it to a database but it is a global
option.
Are you really using the BDB database? It has been deprecated for some
time now.
I would suggest using MDB.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
5:55 a.m.
On Thu, Oct 30, 2014 at 09:54:57AM -0300, Net Warrior wrote:
>I suspect that you do not want that. It would force every client
to
>have a client-side X.509 certificate. Good for secure authentication,
>but more effort to manage than most people are prepared to handle.
Is it because of the certificte expiration or something like that tha's hard to
mantain?
Yes. It is worth considering though, provided you have a well-organised
system for distributing and installing new client-side certificates.
You will also need to make sure that the admin tools you use can work with
client-side certs.
>That is because you tried to add it to a database but it is a
global option.
I added to the global section cn=config and do not see it.
Odd. If you use ldapadd to do this then it should either work or return an error code.
>Are you really using the BDB database? It has been deprecated for
some time
now.
>I would suggest using MDB
Yes my bad, after I went to production, I was told that backend was
deprecated, is there any doc related to migrate from one backend to another or
should I reconfigure the whole database from scratch ?
The safest approach is to slapcat each of your databases into LDIF files
then configure new MDB databases and slapadd the data. You will find
that loading MDB with slapadd -q is extremely fast.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
3256
days inactive
3260
days old
openldap-technical@openldap.org
18 comments
4 participants
participants (4)
-
Andrew Findlay -
Dieter Klünter -
Michael Ströder -
Net Warrior